All Apps and Add-ons

REGEX in blacklist doesn't work as intended


Hello folks,


I encountered a problem when trying to filter events from WinEventLog and EventCode 4662.  When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.


blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))"

I tried some changes to the regex but I do not find a solution for this. Thanks for your time.

Labels (2)
0 Karma


@osakachan  Can you check are you following allowed regex its little different from PCRE- inputs.conf - Splunk Documentation

0 Karma


Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.


An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...